Do the same for the designated backup root bridge. These actions protect against
inadvertent shifts in STP that are caused by an uncontrolled introduction of a
new switch.
??” On some platforms, the BPDU guard feature may be available. If so,
enable it on access ports in conjunction with the PortFast feature to
protect the network from unwanted BPDU traf?¬?c injection. Upon
receipt of a BPDU, the BPDU guard feature automatically disables the
port.
Mitigating Compromises Launched Through a Switch
Follow these recommended practices to mitigate compromises through a switch:
?– Proactively con?¬?gure unused router and switch ports:
??” Execute the shut command on all unused ports and interfaces.
Securing the Expanded Network 71
??” Place all unused ports in a ???parking-lot??? VLAN, which is dedicated to
grouping unused ports until they are proactively placed into service.
??” Con?¬?gure all unused ports as access ports, disallowing automatic trunk
negotiation.
?– Consider trunk links: By default, Cisco Catalyst switches that are running Cisco IOS
Software are con?¬?gured to automatically negotiate trunking capabilities. This situation
poses a serious hazard to the infrastructure because an unsecured third-party device
can be introduced to the network as a valid infrastructure component.
Pages:
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128